Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f1bbccdaf32dc13…

MALICIOUS

PDF

41.6 KB Authoring application: PDFedit
MD5: ba9a3b666c5ef9815809d8d09474dd4b SHA-1: 373190862797a78bc4fcf9f9769180144035f214 SHA-256: 3f1bbccdaf32dc13a1c59ee594e0e6631b288a59490f581f838833620ed3f998
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The critical PDF_SEO_LINK_FARM heuristic indicates this PDF contains a large number of links to external PDF files hosted on various domains. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious classification. The primary attack pattern involves redirecting users to a link farm, likely for SEO manipulation or to serve additional malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://printable-ebooks.com/uploads/1/3/0/5/130550787/juzifuvimani.pdf
    • http://www.poptopworkshop.com/uploads/1/3/0/6/130639026/bemelufekujiwu_lepazat.pdf
    • http://tolhouse-design.com/uploads/1/3/0/2/130272081/1088283.pdf
    • http://royalglossbrat.com/uploads/1/3/0/7/130740264/zanosonilov_lifinasidinalew.pdf
    • http://airfilledlife.com/uploads/1/3/0/4/130478009/zodejo.pdf
    • http://twincreeksproperties.com/uploads/1/3/0/3/130323818/gasero.pdf
    • http://www.vansrv6a.com/uploads/1/3/0/7/130775680/4bdbcd0522.pdf
    • http://writing4content.com/uploads/1/3/0/5/130539697/c844ccf53272666.pdf
    • http://salaamboston.com/uploads/1/3/0/7/130740073/2233011.pdf
    • http://deletecoinbase.com/uploads/1/3/0/4/130483216/4885894.pdf
    • http://mobilhomebluesky.com/uploads/1/3/0/7/130775350/vabakifajibinido.pdf
    • http://www.pepperpotdaycentre.co.uk/uploads/1/3/0/4/130435835/kalifawatot-nupuka.pdf
    • http://canyonsohana.com/uploads/1/3/0/6/130621557/kenilurodimafofobed.pdf
    • http://treetalkconsulting.com/uploads/1/3/0/9/130969011/3882160.pdf
    • http://litem.net/uploads/1/3/0/7/130740508/9511051.pdf
    • http://mountaingatewaytraining.org/uploads/1/3/0/7/130738988/fosujudogibavovud.pdf
    • http://sigmanuatkwc.com/uploads/1/3/0/5/130546392/lepelutedes.pdf
    • http://45northfarm.com/uploads/1/3/0/7/130739377/gadafaluwose_tigafuba.pdf
    • http://csjunioracademy.com/uploads/1/3/0/4/130483428/30a2cce97.pdf
    • http://meganlarsson.com/uploads/1/3/0/2/130287407/6700811.pdf
    • http://www.pittsburghareatutor.com/uploads/1/3/0/7/130739549/modadowidujo.pdf
    • http://vacationsofdiscovery.voyagerwebsites.com/uploads/1/3/0/3/130323559/130323559.html#balsa+wood+model+airplane+building

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000040de.bin
1a50095762c8e8377b184c9fedf97c07f52ef16563c55693192fdeb63881240f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x40DE 8400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.